How To Use OpenAM For OAuth 2.0/OIDC Federation?









up vote
0
down vote

favorite












Here's the situation:



  • We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)

  • We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database

So the rough idea for any federation scenario for us would be like this:



They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.



Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.



I looked and found two possible solutions:




  1. The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:



    • I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.

    • Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?


  2. Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)










share|improve this question























  • Please feel free to tell me if I'm thinking it dead wrong!
    – Hossein
    Nov 10 at 16:49














up vote
0
down vote

favorite












Here's the situation:



  • We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)

  • We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database

So the rough idea for any federation scenario for us would be like this:



They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.



Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.



I looked and found two possible solutions:




  1. The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:



    • I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.

    • Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?


  2. Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)










share|improve this question























  • Please feel free to tell me if I'm thinking it dead wrong!
    – Hossein
    Nov 10 at 16:49












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Here's the situation:



  • We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)

  • We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database

So the rough idea for any federation scenario for us would be like this:



They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.



Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.



I looked and found two possible solutions:




  1. The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:



    • I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.

    • Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?


  2. Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)










share|improve this question















Here's the situation:



  • We have some legacy system. Using simple User/Password authentication + session cookies. (And not using OpenAM)

  • We are trying to provide new services to another orginazation and among other things, we are obliged to accept their users as authenticated, automatically, upon redirection from their web application. We need Federated Identity. And we have chosen OpenAM as our new IAM, but our user data is still in legacy system and their users will be registered into the legacy systems too. For now the users won't be aggregated into OpenAM's database

So the rough idea for any federation scenario for us would be like this:



They redirect their user to our OpenAM endpoint which takes a JWT (An OIDC token?) signed by their IdP, which we "trust", and somehow based on the content of that, OpenAM issues another JWT token & redirects the user again to the legacy system with the new bearer token.



Developers at the legacy system will create some custom code to verify and read the claims inside the JWT token. based on the claims, they create an authenticated, privileged session for the user.



I looked and found two possible solutions:




  1. The JWT from their IdP is used to start an OAuth2.0 implicit flow + using their JWT for client authentication (as per RFC-7523). Then the user will use the access token. But:



    • I want to put the claims from the first JWT (some of them are custom) into the access token so that the legacy system use that information to lookup the user in the legacy DB and create the session. How do I tell OpenAM to include these claims in the access token? Note that there are no information about their users in OpenAM database. Just the claims from the token.

    • Also looks like we are authenticating their IdP and not the user. Because the JWT client authentication uses their IdP's public key to verify the token's signature. How do I tell OpenAM that this token is meant for the "sub" of that JWT?


  2. Use the Rest STS(Security Token Service) in OpenAM (OIDC -> OIDC). This kinda looks better suited for our situation but I don't know how to tell the OpenAM to verify their tokens. The documentation doesn't seem to provide any measures to verify the tokens? (Maybe some place to add their public key?)







oauth-2.0 openam oidc






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 11 at 4:27

























asked Nov 10 at 16:39









Hossein

468




468











  • Please feel free to tell me if I'm thinking it dead wrong!
    – Hossein
    Nov 10 at 16:49
















  • Please feel free to tell me if I'm thinking it dead wrong!
    – Hossein
    Nov 10 at 16:49















Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49




Please feel free to tell me if I'm thinking it dead wrong!
– Hossein
Nov 10 at 16:49

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53241085%2fhow-to-use-openam-for-oauth-2-0-oidc-federation%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53241085%2fhow-to-use-openam-for-oauth-2-0-oidc-federation%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto